lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1195660319.759.50.camel@moss-spartans.epoch.ncsc.mil>
Date:	Wed, 21 Nov 2007 10:51:59 -0500
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	"Serge E. Hallyn" <serue@...ibm.com>
Cc:	linux-kernel@...r.kernel.org, casey@...aufler-ca.com,
	chrisw@...s-sol.org, darwish.07@...il.com, jmorris@...ei.org,
	method@...icmethod.com, morgan@...nel.org, paul.moore@...com
Subject: Re: +
	smack-version-11c-simplified-mandatory-access-control-kernel.patch added to
	-mm tree

On Wed, 2007-11-21 at 09:48 -0600, Serge E. Hallyn wrote:
> Quoting akpm@...ux-foundation.org (akpm@...ux-foundation.org):
> > +/*
> > + * There are not enough CAP bits available to make this
> > + * real, so Casey borrowed the capability that looks to
> > + * him like it has the best balance of similarity amd
> > + * low use.
> > + */
> > +#define CAP_MAC_OVERRIDE CAP_LINUX_IMMUTABLE
> 
> Hey Casey,
> 
> note that 64-bit capabilities are now in -mm, so you could grab your own
> capability.

Which brings up an interesting question - what to do with
security-module-specific capabilities?  CAP_MAC_OVERRIDE is specific to
Smack - other MAC modules like SELinux won't honor it.  Maybe it should
be CAP_SMACK_OVERRIDE.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ